[14451] in cryptography@c2.net mail archive
DH with shared secret
daemon@ATHENA.MIT.EDU (Jack Lloyd)
Fri Oct 3 13:20:31 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 3 Oct 2003 05:13:34 -0400 (EDT)
From: Jack Lloyd <lloyd@randombit.net>
To: cryptography@metzdowd.com
This was just something that popped into my head a while back, and I was
wondering if this works like I think it does. And who came up with it
before me, because it's was too obvious. It's just that I've never heard of
something alone these lines before.
Basically, you share some secret with someone else (call it S). Then you
do a standard issue DH exchange, but instead of the shared key being
g^(xy), it's g^(xyS)
My impression is that, unless you know S, you can't do a succesfull MITM
attack on the exchange. Additionaly, AFAICT, it provides PFS, since if
someone later recovers S, there's still that nasty DH exchange to deal
with. Of course after S is known MITM becomes possible.
Given the recent climate around here, I'll add that I'm not planning on
using this for anything (I only use TLS, I swear! :P), I just thought it
was an semi-interesting idea.
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
